lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5e01c29a0607111954p47f32bfej41e8f86193a541d1@mail.gmail.com>
Date: Wed Jul 12 03:54:50 2006
From: michaelslists at gmail.com (mikeiscool)
Subject: Cookies marked as secure

On 7/12/06, Josh L. Perrymon <joshuaperrymon@...il.com> wrote:
> Ok,
>
> I'm having a discussion with a buddy about secure cookies. I'm looking
> at a Java application that used several cookies after logging in;
>
>   SessionID
>   CookieIDtype
>   FailMSGID
>
> so on...
>
> Obviously the application is using some code that performs additional
> sessions on top of the standard sessionID.
>
> What I'm seeing is that once I login to the app is that the SET
> Cookie: Statement has /Secure marked.  However, all the client/server
> traffic afterwards is NOT marked with /Secure.
>
> I read the RFC and it says something like " HTTP Is stateless,
> therefore all sensitive cookies sent over HTTPS should be marked as
> /SECURE, so they are not passed over HTTP.
>
> So my questions finally:
> When needed a Cookie to be secure.. should it be marked as /SECURE in
> client requests to the server OR can it be marked secure within the
> physical cookie itself.. on the HD?

well it'd have to be in the cookie itself otherwise you'd basically be
sending the cookie but saying "here, this cookie is secure, please
don't receive it". which doesn't make sense. and defeats the point.

but better still is to use a subdomain for your secure cookie and not
allow http:// access to it. or at the very least encrypt and/or hash
the cookie yourself.

-- mic

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ